CWE-396: Declaration of Catch for Generic Exception
Declaration of Catch for Generic Exception
Weakness ID: 396 (Weakness Base)
Status: Draft
Description
Description Summary
Catching overly broad exceptions promotes complex error
handling code that is more likely to contain security
vulnerabilities.
Extended Description
Multiple catch blocks can get ugly and repetitive, but "condensing" catch
blocks by catching a high-level class like Exception can obscure exceptions
that deserve special treatment or that should not be caught at this point in
the program. Catching an overly broad exception essentially defeats the
purpose of Java's typed exceptions, and can become particularly dangerous if
the program grows and begins to throw new types of exceptions. The new
exception types will not receive any attention.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
C++
Java
.NET
Demonstrative Examples
Example 1
The following code excerpt handles three types of exceptions in an
identical fashion.
(Good Code)
Java
try {
doExchange();
}
catch (IOException e) {
logger.error("doExchange failed", e);
}
catch (InvocationTargetException e) {
logger.error("doExchange failed", e);
}
catch (SQLException e) {
logger.error("doExchange failed", e);
}
At first blush, it may seem preferable to deal with these exceptions
in a single catch block, as follows:
(Bad Code)
try {
doExchange();
}
catch (Exception e) {
logger.error("doExchange failed", e);
}
However, if doExchange() is modified to throw a new type of exception
that should be handled in some different kind of way, the broad catch
block will prevent the compiler from pointing out the situation.
Further, the new catch block will now also handle exceptions derived
from RuntimeException such as ClassCastException, and
NullPointerException, which is not the programmer's intent.
Description
